Spring 5 Security OAuth2 登录重定向循环 [英] Spring 5 Security OAuth2 Login Redirect Loop
问题描述
我想使用 Spotify Web API,但在使用 Spring Security 配置时遇到问题.这是我的安全依赖项:
I want to work with Spotify Web API, but I'm having trouble with Spring Security Configuration. Here are my security dependencies:
/* springBootVersion = '2.1.2.RELEASE' */
implementation "org.springframework.security:spring-security-oauth2-client"
implementation 'org.springframework.security:spring-security-oauth2-jose:5.1.6.RELEASE'
implementation "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.7.RELEASE"
这是我在 application.yml
文件中的安全性:
And here's my security in my application.yml
file:
spring:
security:
oauth2:
client:
registration:
spotify:
provider: spotify-provider
client-id: <client-id>
client-secret: <client-secret>
client-authentication-method: basic
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8080/
scope: <comma delimited scopes>
provider:
spotify-provider:
authorization-uri: https://accounts.spotify.com/authorize
token-uri: https://accounts.spotify.com/api/token
user-info-uri: https://api.spotify.com/v1/me
我的问题是,在我登录并重定向回我的应用程序后,它卡在 URL http://localhost:8080/oauth2/authorization/spotify
上并出现错误
My issue is that after I login and get redirected back to my application, it gets stuck on the URL http://localhost:8080/oauth2/authorization/spotify
with the error
localhost 给你重定向了太多次.
localhost redirected you too many times.
这是我的 java 安全配置的样子:
Here's what my java security configuration looks like:
@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
}
推荐答案
重定向循环是因为 /oauth2/authorization/
端点是安全的,因此触发返回到 Web API访问令牌.
The Redirect Loop was because the /oauth2/authorization/
endpoint was secured, thus it was triggering going back to the Web API for an access token.
我已将配置更新为:
@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/home", "/login**","/callback/", "/webjars/**", "/error**", "/oauth2/authorization/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login();
}
}
第二个问题是 redirect-uri
是 Web API 将访问令牌发送到 Spring 以用于获取刷新令牌的 URI.我以为是登录成功.Spring 已经有处理刷新令牌的实现,但我不知道它应该使用什么端点.出于某种原因,redirect-uri 不能为空,没有默认值,我会得到这个错误:
The second issue was that the redirect-uri
is the URI that the Web API will send the access token to Spring to be used to get the refresh token. I thought it was for a successful login. Spring already has an implementation for handling refresh tokens, but I did not know what endpoint it should use. For some reason, the redirect-uri cannot be blank, there is no default, I would get this error:
IllegalArgumentException:redirectUriTemplate 不能为空
IllegalArgumentException: redirectUriTemplate cannot be empty
要使用 Spring 的刷新令牌实现,我需要将重定向 uri 设置为:
To use Spring's refresh token implementation I needed to set the redirect-uri to this:
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
redirect-uri-template
是 redirect-uri
的别名(它们是同一个变量).
redirect-uri-template
is an alias for redirect-uri
(they're the same variable).
我在另一个 stackoverflow 帖子中找到了 redirect-uri
:
I found the redirect-uri
in another stackoverflow post:
authorizationGrantType 不能为空Spring Security 5 OAuth 客户端和 Spring Boot 2.0
这篇关于Spring 5 Security OAuth2 登录重定向循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!